That was the focus of a seven-hour hearing on Tuesday in Luxembourg before the European Court of Justice, the EU's highest court, that featured testimony from Google, various EU countries as well as freedom of speech advocates.

France's data protection authority CNIL - the Commission nationale de l'information et des libertés - argued before a 15-judge panel that the so-called right to be forgotten should apply worldwide. Its view is backed by both the French and Austrian governments.

"We cannot simply limit those rights to the European frontiers, they would be dead rights," attorney Jean Lessi, who represents CNIL, told the court, Bloomberg reported.

Others, however, including the European Commission - the EU's politically independent executive arm - and Google argued that the right to be forgotten should only apply within the 28 member states within the EU.

"The worldwide delisting system proposed by the CNIL is completely untenable," Patrice Spinosi, a French lawyer who represents Google, told the ECJ panel, Politico reported. "Such a system would unreasonably interfere with the freedom of expression and information, and induce endless conflicts with countries which do not recognize the 'right to be forgotten'."

He added that such a move would be "completely unenvisagable," as well as "unreasonably interfere" with people's right to freely express themselves and access information as well as land the company in "endless conflicts" with any country that didn't wish for the EU's right to be forgotten to apply within its borders, Bloomberg reported.

Debate Over Extraterritoriality

The European Commission backs Google's position. Antoine Buchet, a lawyer for the European Commission, told judges during questioning that "we don't see extraterritoriality" in EU privacy law, the Wall Street Journal reported. "It's intellectually difficult to enter into that logic and give a universal effect to removals."

Also backing Google's position was Wikimedia Foundation - operator of Wikipedia - as well as Microsoft, which markets the Bing search engine. "It would be disastrous, not just for European citizens but for all internet users," Emmanuel Piwnica, a lawyer for Microsoft, told the court, Politico reported.

"A world in which one country or individual could impose their views to access information would not be acceptable," Piwnica said.

Also backing Google's position is the Reporters Committee for Freedom of the Press, a U.S. nonprofit organization, which has warned that extending the right to be forgotten could have "grave worldwide consequences."

The group wrote in a brief to the court that "there would be nothing to prevent other jurisdictions from claiming the same global scope of application for their own laws," which could quickly result in "a 'race to the bottom,' as speech prohibited by any one country could effectively be prohibited for all, on a worldwide basis."

France's Push

France's DPA, however, has long been pushing for Europeans' right to be forgotten to be extended worldwide. In 2015, it ordered Google to extend the "right to be forgotten" removals worldwide, opening the way to sanctions. In March 2016, CNIL slapped a €100,000 ($160,000) fine on Google for failing to honor "right to be forgotten" requests across every Google website.

Google appealed CNIL's order, which is what has brought the case before the ECJ.

CNIL attorney Lessi told the court on Tuesday that by failing to honor right to be forgotten requests worldwide, Google "doesn't stop the infringement of this fundamental right which has been identified, it simply reduces the accessibility.

A nonbinding ruling from the court is expected in December, and a final decision sometime next year.

Legal experts say that if the ECJ upholds France's request - which is by no means certain - other countries' governments would likely challenge the ruling - including the U.S., which constitutionally protects citizens' right to freedom of speech.

Putting the Ruling Into Practice

Europe's right to be forgotten - aka "right to erasure" - predates the EU's General Data Protection Regulation, which went into full effect in May. But GDPR further enshrines those rights under article 17, which states that in certain cases, "the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay."

A showdown over how widely the right to be forgotten should apply has been brewing since May 2014, when the court ruled that Google and other search engines must eliminate "inadequate, irrelevant or no longer relevant" results when Europeans request that they do so.

At the time, Google pronounced it "a disappointing ruling for search engines and online publishers in general." Some EU countries' lawmakers also slammed the ruling.

Google, however, quickly began allowing Europeans to request that some categories of information be removed, although initially began doing so only for European-specific domains, such as "www.google.fr" in France.

But some EU privacy regulators argued that under the right to be forgotten, URLs should not be viewable by Europeans from anywhere in the world and said Google should take steps to ensure no Europeans were able to circumvent removals. Some also argued that the URLs should be excised worldwide, meaning that the EU's privacy would apply extraterritorially (see EU Demands Global 'Right to Be Forgotten').

Search Engines: Google Dominates

In its 2014 ruling, the ECJ offered no practical guidance on how right to be forgotten requests should be evaluated or put into practice. Doing so has largely fallen to Google, which dominates the European search market.

To date, Google says that under the right to be forgotten, it has received 723,334 requests that have collectively asked it to "delist" 2.8 million URLs. It says 89 percent of requests have come from individuals.

Delisting requests from Europeans received by Google as of Sept. 12, 2018. (Source: Google)

Google says it has delisted 44 percent of all requests. It says it has delisted the most URLs from Facebook.com, French business listings site "annuaire.118712.fr," online people search engine "profileengine.com," Twitter.com, YouTube.com, Google Groups, Google Plus, Instagram, event promotion website "www.wherevent.com" and social network Badoo.

"A few common material factors involved in decisions not to delist pages include the existence of alternative solutions, technical reasons or duplicate URLs," Google says. "We may also determine that the page contains information which is strongly in the public interest."

Since 2016, Google has used geolocation to help restrict EU access to "removed" information.

"Pages are only delisted from results in response to queries that relate to an individual's name. We delist URLs from all of Google's European search results - results for users in France, Germany, Spain, etc. - and use geolocation signals to restrict access to the URL from the country of the requester," Google says.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;